Cybersecurity Update 24 August - 5 September 2025

United States of America

Salesloft Drift Compromised. On 26 August 2025, Google Threat Intelligence reported that the Salesforce customers that used Salesloft Drift are likely compromised — most likely by Shiny Hunters. Salesloft Drift is an AI-powered chat agent that allows websites to provide real-time, human-like customer interaction that can be turned into Salesforce leads as well as other customer relationship management platforms, Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI, and others. Salesloft Drift integrates with 58 third party tools that provide customer relationship management, automation, analytics, sales, communications and support. “Beginning as early as 8 August 2025 through at least 18 August 2025, the malicious actor targeted Salesforce customer instances through compromised OAuth tokens associated with the 

Salesloft Drift third-party application.” "Using a single token stolen from Salesloft, the malicious actor was able to access tokens for any Drift-linked organization. The malicious actor then used the Salesforce tokens to directly access that data and exfiltrate it to servers, where they looked for plaintext credentials, including Amazon, Snowflake, and other passwords.” "The malicious actor systematically exported large volumes of data from numerous corporate Salesforce instances. Google assesses the primary intent of the malicious actor is to harvest credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.” Once these credentials were exfiltrated, "the actor then searched through the data to look for secrets that could be potentially used to compromise victim environments," and then covered its tracks by deleting query jobs. Google’s Threat Intelligence Group “is aware of over 

700 potentially impacted organizations,” and the malicious actor “used a Python tool to automate the data theft process for each organization that was targeted.” Cloudflare, Google, PagerDuty, Palo Alto Networks, ProofPoint, SpyCloud, and Zscaler have all confirmed that their Salesforce instances were breached. Salesloft's Drift bots were hacked when the company announced its plan to merge with rival Clari. In the merger announcement, the combined companies said they will serve more than 5,000 organizations globally across all industries. Google’s advice is to treat any/all Salesloft Drift integrations into any platform as compromised. Google recommends that organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. (Google, Salesloft Blog, CyberScoop, CybersecurityDive, ArsTechnica, KrebsonSecurity, SecurityAffairs, Cyberscoop, TechRepublic, CybersecurityDive) 

DOGE Employees Put Social Security Data into a Vulnerable Cloud Environment. On 26 

August 2025, the Social Security Administration’s (SSA) chief data officer, Chuck Borges, sent a letter to Congress via the Government Accountability Project stating that DOGE officials, currently employed as SSA employees, put at least 300 million Americans’ Social Security data into a vulnerable cloud environment. This vulnerable cloud environment is effectively a live copy of the entire country’s Social Security information from the Numerical Identification System (NUMIDENT) database, that lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data. NUMIDENT contains all data submitted in an application for a United States Social Security card—including the name of the applicant, place and date of birth, citizenship, race and ethnicity, parents’ names and social security numbers, phone number, address, and other personal information. Should malicious actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government (in the worst-case scenario) may be responsible for re-issuing every American a new Social Security Number. The lack of security protections violates internal agency security controls and federal privacy laws. The copy of the data appears to have been set up inside the SSA's existing cloud infrastructure, which operates on Amazon Web Services. It is important to note that, on 6 June 2025, the Supreme Court ruled in favor of giving the DOGE team access to SSA data. On 10 June 2025, a former DOGE employee at the SSA named John Solly — operating under the authority of SSA 

Chief Information Officer (CIO) Aram Mogaddassi — requested that the agency make a copy of its Numerical Identification System (NUMIDENT) database to a private cloud that would be located within the SSA's Amazon Web Services — Agency Cloud Infrastructure that circumvents oversight. On 29 August 2025, Mr. Borges sent an email to agency staff claiming that he had been forcibly removed from his position after filing the whistleblower complaint. Minutes after the email went out, it disappeared from employee inboxes. His email stated, “after reporting internally to management and externally to regulators serious data security and integrity concerns impacting our citizens' most sensitive personal data, I have suffered exclusion, isolation, internal strife, and a culture of fear, creating a hostile work environment and making work conditions intolerable.” (Whistle Blower Letter, Wired, HandBasket, NPR, The Hill, Wired, TechCrunch, Government Accountability Project, NYT) 

Anthropic Warns AI Was Weaponized in Cybercrime Rampage. On 27 August 2025, 

Anthropic published a report that revealed that malicious actors leveraged its Claude AI chatbot to conduct large-scale theft and extortion of personal data that affected victims across government, health care, emergency services and religious institutions in July 2025. Anthropic said the malicious actor used AI as a consultant and active operator to execute attacks that would otherwise have been more difficult and time-consuming. "The actor employed Claude Code on Kali Linux as a comprehensive attack platform, embedding operational instructions in a CLAUDE.md file that provided persistent context for every interaction.” Moreover, the malicious actor used Claude Code to craft bespoke versions of the Chisel tunneling utility to sidestep detection efforts, and disguise malicious executables as legitimate Microsoft tools – an indication of how AI tools are being used to assist with malware development with defense evasion capabilities. The cybercrime campaign targeted at least 17 organizations and resulted in the compromise of personal records, including healthcare data, financial information, government credentials, and other sensitive information with ransom demands ranging from $75,000 to $500,000 in cryptocurrency. (Anthropic Threat Intelligence Report, NBC, HackerNews, Bloomberg, CSOOnline, OODALoop, TechRepublic) 

Cybersecurity Maturity Model Certification Required. On 25 August 2025, the Office of 

Information and Regulatory Affairs cleared the Department of Defense acquisition rule in Title 48 of the Code of Federal Regulations for assessing contractor cybersecurity requirements. This made the Cybersecurity Maturity Model Certification (CMMC) real in both policy and for awards and it will impact at least 220,000 to 300,000 contractors and subcontractors, with about 80,000 expected to require Level 2 certification. The CMMC 2.0 cybersecurity requirements will likely appear in the DoD Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)-covered contracts and solicitations as early as the end of October 2025. If included, DoD contractors can expect to see the insertion of CMMC language, including the required level of certification and DFARS Clause 252.204-7021. To achieve CMMC status, companies must identify their required level, implement the corresponding security controls, undergo a formal assessment, and then annually affirm their continued compliance in the Supplier Performance Risk System (SPRS). (Forbes, SecDef July 2025 Memo, MMMLaw) 

Farmers Customers Affected by Third-Party Breach. On 22 August 2025, Farmers 

Insurance, Farmers Insurance Exchange and several other affiliated companies filed breach notification documents in Maine, California, and Massachusetts. The malicious actors gained access to a database containing Farmers’ customer information. The database contained names, dates of birth, driver’s license numbers and the last four digits of people’s Social Security numbers. The insurance company said 1,071,172 people were affected. It is believed that this is linked to Scattered Spider. Victims of the incident, discovered on 30 May 2025, are being offered two years of identity-theft protection. (The Record) 

Bluesky’s Service Exits Mississippi. On 22 August 2025, Bluesky announced that it would no longer provide service in the state of Mississippi and that it will be blocking all IP addresses within Mississippi for the foreseeable future. These actions are responding to a recent US Supreme Court decision that allows the state to enforce strict age verification for social media platforms. Bluesky stated, “we think this law creates challenges that go beyond its child safety goals, and creates significant barriers that limit free speech and disproportionately harm smaller platforms and emerging technologies.” The reality for any social media platform delivering service to Mississippi is that everyone must undergo an age check or the platform risks being fined. The law would also require platforms to identify and track which users are children. (US Supreme Court, AP, Wired, BlueSky, Mississippi Age Assurance Law) 

44 AGs Sign Open Letter to Protect Children from AI Chatbots. On 25 August 2025, fortyfour attorneys general signed an open letter to 11 chatbot and social media companies on Monday, warning them that they will “answer for it” if they knowingly harm children and urging the companies to see their products “through the eyes of a parent, not a predator.” The companies that received the letter included: Anthropic, Apple, Chai AI, OpenAI, Character Technologies, Perplexity, Google, Replika, Luka Inc., XAI, and Meta. The letter cites recent media reporting uncovering chatbot interactions as well as internal policies at Meta that said, “it is acceptable to engage a child in conversations that are romantic or sensual.” The letter states: “exposing children to sexualized content is indefensible. And conduct that would be unlawful—or even criminal—if done by humans is not excusable simply because it is done by a machine.” The letter went on to say, “When your AI products encounter children, we need you to see them through the eyes of a parent, not the eyes of a predator. Protect kids, encourage them, and equip them to succeed. Err on the side of child safety, alway. “If you knowingly harm kids, you will 

answer for it.” (404 Media, Open Letter, Reuters) 

GSA Launches a FEDRAMP Pilot for AI Services. On 25 August 2025, the General Services 

Administration announced that it was launching a pilot under its Federal Risk and Authorization Management Program (FedRAMP) 20x initiatives with the goal of streamlining how artificial intelligence (AI) products based in the cloud can move through the certification process. The pilot will focus on AI-based cloud services that provide access to “conversational AI engines designed for routine and repeated use by federal workers.” GSA stated that “this accelerated prioritization aims to streamline the adoption of advanced AI capabilities across the federal government, significantly enhancing operational efficiency and innovation.” FedRAMP, GSA said, aims to collaborate with the Office of Management and Budget (OMB) and the CIO Council to “provide additional support to fast-track the authorization process for qualified AI cloud providers to ensure secure and compliant integration into federal agency operations.” (NexGov, MeriTalk) 

Secretary Noem Fires FEMA’s IT Team. On 29 August 2025, Secretary Noem announced that she is firing two dozen members of the Federal Emergency Management Agency’s (FEMA) IT department after it was discovered that they brazenly neglected basic security protocols. While conducting a routine cybersecurity review, the DHS Office of the Chief Information Officer (OCIO) discovered significant security vulnerabilities that gave a threat actor access to FEMA’s network. Failures included: an agency-wide lack of multi-factor authentication, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility. She terminated FEMA's chief information officer, chief information security officer and 22 other IT employees. (DHS Statement, PoliticoPro, NextGov, Wired) 

Malicious Actors Use Google Classroom to Target 13,500 Organizations. Malicious actors abused Google Classroom’s core functionality to disseminate more than 115,000 malicious, phishing emails targeting approximately 13,500 organizations globally. The campaign was conducted between 6-12 August 2025. The campaign’s success hinged on exploiting the inherent trust associated with Google Classroom’s infrastructure, which facilitates seamless communication between educators and students through invitation-based mechanisms. By masquerading as legitimate classroom join requests, the phishing emails evaded initial detection by many email security gateways, leveraging the platform’s reputation to bypass traditional filters such as SPF, DKIM, and DMARC validations that might otherwise flag spoofed origins. (Check Point Blog, GBHackers)

China’s Salt Typhoon Targeted More than 80 Countries. On 27 August 2025, a joint 

cybersecurity advisory was released warning of China’s sponsored activities that are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. Three Chinese companies are called out in the advisory, who appear to be supporting the Chinese government: Sichuan Juxinhe Network Technology Co. Ltd.; Huanyu Tianqiong Information Technology Co., Ltd.; and Sichuan Zhixin Ruijie Network Technology Co., Ltd. The Federal Bureau of Investigation (FBI) notified at least 600 organizations that the malicious actors are interested in their systems. Instead of smashand-grab tactics, the group hid in routers and surveillance systems for years, siphoning sensitive data from 200+ organizations. The advisory provides technical details to strengthen detection and defensive initiatives. (Joint Cybersecurity Advisory, NextGov, WP, DHS Memo, WSJ) 

Navy Federal Exposes Member Data. On 2 September 2025, a researcher —Jeremiah Fowler— found an unencrypted and non-password-protected AWS database that contained 378 GB of backup data. The data contained references to Navy Federal Credit Union’s (NFCU) members. The database held storage locations, keys, hashed passwords, and other internal potentially sensitive information. The researcher sent a responsible disclosure notice to NFCU, and the database was restricted from public access within hours of the reporting and is no longer accessible. (WebsitePlanet, GovInfoSec) 

International Items of Interest 

Jaguar Land Rover Cyber Incident Disrupts Operations. On 31 August 2025, Jaguar Land 

Rover (JLR) suffered a cyber attack severely disrupted vehicle production, including at its two main UK plants (Merseyside and Solihull) and dealerships unable to process new car 

registrations. Scattered Spider took credit for the incident. The company said: "We took 

immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner.” In JLR’s blog, "At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.” This suggests a ransomware incident. Cybersecurity experts point out that the attack exposes the fragility of increasingly digitalized operations, where tightly integrated systems that support a broad range of activities require strong cyber hygiene, robust authentication and authorization, and enhanced data flow protection. In 2023, as part of an effort to "accelerate digital transformation across its business", JLR signed a five-year, £800m deal with corporate stablemate Tata Consultancy Services to provide cybersecurity and a range of 

other IT services. (BBC, JLR Statement, SecurityWeek, ArchyWorldy) 

Russia Uses Aggressive Back Door Using Visual Basic. On 3 September 2025, S2 Grupo’s 

threat intelligence lab, LAB52 published a report regarding a new set of activities being 

attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special 

Service Center (GTsSS). The NotDoor backdoor is a sophisticated Visual Basic for 

Applications- (VBA) based malware targeting Microsoft Outlook, designed to monitor incoming emails for specific trigger words and execute malicious commands. VBA is Microsoft’s embedded scripting language used to automate tasks in Office applications, such as Excel, Word and Outlook. NotDoor enables malicious actors to exfiltrate data, upload files and run arbitrary commands on compromised systems. (Lab 52 Report, InfoSecMag) 

Cyberattack on Swedish IT Provider Disrupts Hundreds of Municipalities. On 25 august 

2025, it was reported that the Swedish company Miljödata, which supplies work environment and HR systems to roughly 80% of Sweden’s municipalities was ransomed. Miljödata’s systems are used by the majority of municipalities in Sweden to handle medical certificates, rehabilitation cases, occupational injuries, incident and work environment reporting, and systematic work environment management (SAM). The incident disrupted digital access for more than 200 municipal regions and the Swedish government is warning its citizens that “sensitive personal data may have been leaked.” The Swedish Minister for Civil Defence Carl-Oskar Bohlin stated that “CERT-SE, which has the task of supporting Swedish society in handling and preventing IT security incidents, has offered advice and support to both the company in question and the affected customers.” “The national cybersecurity center is coordinating the measures of the relevant authorities and a police investigation is also underway.” (BleepingComputer, AftonBladet, The Record) 

Nissan Confirms Design Studio Data Breach. On 16 August 2025, Nisan detected suspicious access on the data server of Creative Box Inc. (CBI). CBI is a Tokyo-based design studio, wholly owned by Nissan Motor Co. Ltd., established as a "think tank" that focuses on experimental and concept vehicle designs. On 20 August 2025, the Qilin ransomware group added CBI to their dark web portal, claiming that they had stolen at least four terabytes of data including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos. Nisan stated, ”Currently, a detailed investigation is underway, and it has been confirmed that some design data has been leaked.” (BleepingComputer)

74% of UK Companies Admit Insecure Code Caused a Security Breach. In July 2025, 

SecureFlag surveyed 100 UK C-suite and senior technology leaders to understand how 

organizations approach secure coding training for developers, what benefits and challenges they perceive, and whether these training efforts are making a tangible difference in security outcomes. Nearly three-quarters of organizations have suffered at least one security breach or incident in the last year that can be blamed on insecure coding practices. The report comes as AI is beginning to take over some coding duties from developers. (ITPro, SecureFlag)

ENISA to Operate the EU Cybersecurity Reserve with EUR 36 million. On 26 August 2025, the European Union Agency for Cybersecurity (ENISA) and the European Commission signed a contribution agreement through which the Commission entrusts ENISA with the administration and operation of the EU Cybersecurity Reserve. It is funded through the Digital Europe Programme (DEP) under the Cyber Solidarity Act. T he initiative aims to strengthen the cyber resilience of the EU, its Member States, and, under certain conditions, third countries associated with DEP. The EU Cybersecurity Reserve, foreseen in Article 14 of the EU Cyber Solidarity Act, consists of incident response services from trusted managed security service providers. This support mechanism will be used, should significant and large-scale cybersecurity incidents occur for the purpose of responding to and recovering from such incidents. (Industrial Cyber)

EU to Boost Cyber Defenses for GPS. On 31 August 2025, the GPS system of European 

Commission President Ursula von der Leyen's airplane was jammed while en route to Bulgaria. Bulgaria's government stated that the GPS signal was lost as von der Leyen's plane approached the southern city of Plovdiv, prompting air traffic controllers to switch to ground-based navigation systems to ensure a safe landing. As such the European Union plans to deploy more low-Earth satellites and better detection tools to guard against GPS signal interference. (Reuters) 

EU Court Preserves EU-US Data Privacy Framework. On 3 September 2025, the European Court of Justice dismissed a plea to annul the EU-U.S. Trans-Atlantic Data Privacy Framework (DPF). This decision allows U.S. organizations certified under the DPF to continue transferring personal data from the EU, providing temporary legal certainty for businesses. Companies should continue to consider alternative data transfer mechanisms like Standard Contractual Clauses (SCCs) as a contingency for future appeals. (Court Ruling, GovInfoSec, JonesDay, CSOOnline, The Record)